b"TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                     Insufficient E-Services Controls May Put\n                           Taxpayer Information at Risk\n\n\n\n                                           June 29, 2012\n\n                               Reference Number 2012-40-071\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Redaction Legend:\n 2 (f) = Risk Circumvention of Agency Regulation or Statute\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.tigta.gov\n\x0c                                                     HIGHLIGHTS\n\n\nINSUFFICIENT E-SERVICES CONTROLS                        who can file a power of attorney electronically\nMAY PUT TAXPAYER INFORMATION AT                         have access to Disclosure Authorization.\nRISK                                                    Although the IRS requires tax professionals to\n                                                        obtain a taxpayer signature before filing the\n                                                        power of attorney, controls do not ensure tax\nHighlights                                              professionals comply with the requirement. Tax\n                                                        professionals are also using a power of attorney\nFinal Report issued on June 29, 2012                    for other than its intended purpose, such as\n                                                        obtaining a power of attorney solely for the\nHighlights of Reference Number: 2012-40-071             purpose of ordering and providing tax return\nto the Internal Revenue Service Commissioner            transcripts for individuals who request them\nfor the Wage and Investment Division.                   online. In addition, tax professionals who have\n                                                        access to e-Services but are not permitted by\nIMPACT ON TAXPAYERS                                     the IRS to electronically file a power of attorney\nBy law, the IRS can generally disclose tax              can circumvent this control ********2(f)***********\ninformation only to a taxpayer or that taxpayer\xe2\x80\x99s       *************2(f)*******.\ndesignee or attorney-in-fact. Taxpayers can             Lastly, IRS employees have access to\nauthorize individuals to represent them and can         e-Services online tools but are prohibited from\nauthorize a designee or attorney-in-fact to             participating in tax preparation activities. The\nreceive confidential tax information. Taxpayers\xe2\x80\x99        IRS should not allow IRS employees to have\nsensitive tax return information is at risk of          access to Disclosure Authorization and the\nunauthorized disclosure when controls are               Transcript Delivery System without managerial\ninsufficient to ensure that tax professionals           authorization and a business need.\nproperly file a power of attorney with the IRS\nbefore it discloses taxpayer information to them.       WHAT TIGTA RECOMMENDED\nWHY TIGTA DID THE AUDIT                                 TIGTA recommended the IRS conduct periodic\n                                                        data analysis to identify tax professionals using\nThis audit was initiated as a result of a referral      Disclosure Authorization for purposes other than\nfrom the TIGTA Office of Investigations that            its intended purpose. The IRS ********2(f)********\nidentified a potential e-Services control               ******2(f)*********** to verify tax professionals\nweakness over electronically submitted powers           retain a signed power of attorney before\nof attorney. E-Services is a suite of web-based         submitting one through Disclosure Authorization.\nproducts for tax professionals that provides            Also, the IRS should periodically review policies\nmultiple electronic IRS products and services.          for granting Disclosure Authorization access to\nThe overall objective of this review was to             tax professionals, especially unenrolled tax\ndetermine if controls over e-Services are               return preparers and registered tax return\nsufficient to prevent unauthorized access to            preparers. Finally, the IRS should ensure\ntaxpayer information.                                   unauthorized IRS employees do not have\nWHAT TIGTA FOUND                                        access to e-Services and monitor transactions of\n                                                        employees who are authorized access.\nTaxpayer information may be at risk of\nunauthorized disclosure and misuse when tax             IRS officials agreed with the intent of three of the\nprofessionals electronically submit powers of           four recommendations and plan to take actions\nattorney. Controls are insufficient to ensure:          to improve internal controls for accessing and\n1) tax professionals obtain a signed Form 2848,         using Disclosure Authorization and the\nPower of Attorney and Declaration of                    Transcript Delivery System. They did not agree\nRepresentation, before submitting it via                tax professionals are misusing Disclosure\ne-Services Disclosure Authorization; 2) tax             Authorization by requesting transcripts;\nprofessionals use Form 2848 only for its                however, tax practitioners are obtaining powers\nintended purpose; and 3) only tax professionals         of attorney with no intention of representing\n                                                        taxpayers before the IRS.\n\x0c                                            DEPARTMENT OF THE TREASURY\n                                                 WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                            June 29, 2012\n\n\n MEMORANDUM FOR COMMISSIONER, WAGE AND INVESTMENT DIVISION\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Insufficient E-Services Controls May Put\n                             Taxpayer Information at Risk (Audit # 201240033)\n\n This report presents the results of our review to determine if controls over e-Services are\n sufficient to prevent unauthorized access to taxpayer information. This audit originated from a\n referral from the Treasury Inspector General for Tax Administration Office of Investigations that\n identified a potential weakness over electronically submitted powers of attorney that allows tax\n professionals with access to e-Services to obtain tax account records without the taxpayer\xe2\x80\x99s\n knowledge and/or authorization. This audit is included in our Fiscal Year 2012 Audit Plan and\n addresses the major management challenge of Security for Taxpayer Data and Employees.\n Management\xe2\x80\x99s complete response to the draft report is included in Appendix VII.\n Copies of this report are also being sent to the Internal Revenue Service managers affected by the\n report recommendations. Please contact me at (202) 622-6510 if you have questions or\n Randee Cook, Acting Assistant Inspector General for Audit (Returns Processing and Account\n Services), at (770) 617-6434.\n\x0c                                               Insufficient E-Services Controls May\n                                                Put Taxpayer Information at Risk\n\n\n\n\n                                              Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 5\n          Controls Over E-Services Are Insufficient to Prevent or\n          Detect Unauthorized Disclosure of Taxpayer Information ........................... Page 5\n                    Recommendation 1:........................................................ Page 12\n\n                    Recommendations 2 and 3: .............................................. Page 13\n\n          Internal Revenue Service Employees Have Access to\n          E-Services ..................................................................................................... Page 14\n                    Recommendation 4:........................................................ Page 14\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 15\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 18\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 19\n          Appendix IV \xe2\x80\x93 Confirmation Letter Sent to Taxpayers................................ Page 20\n          Appendix V \xe2\x80\x93 Confirmation Letter Sent to Tax Professionals ..................... Page 23\n          Appendix VI \xe2\x80\x93 Form 2848, Power of Attorney and\n          Declaration of Representative ....................................................................... Page 25\n          Appendix VII \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .................... Page 27\n\x0c                          Insufficient E-Services Controls May\n                           Put Taxpayer Information at Risk\n\n\n\n\n                             Abbreviations\n\ne-file(d), e-filing   Electronically file(d); electronic filing\nIRS                   Internal Revenue Service\n\x0c                                         Insufficient E-Services Controls May\n                                          Put Taxpayer Information at Risk\n\n\n\n\n                                              Background\n\nIn Calendar Year 2011, more than 112 million taxpayers opted to electronically file (e-file) their\nFederal tax returns by using commercial software to prepare and file their tax returns, by using\nthe Internal Revenue Service\xe2\x80\x99s (IRS) various e-filing products offered on its public Internet site\n(www.IRS.gov), or by e-filing through a paid tax return preparer. In order for tax professionals\nto conduct business electronically, including e-filing, the IRS developed a suite of web-based\nproducts, called e-Services Online Tools for Tax Professionals (online tools), which provides\nmultiple electronic products and services to tax professionals. The suite is not available to the\ngeneral public; rather, only approved IRS business partners are eligible to participate. Figure 1\nlists the e-Services products offered to tax professionals.\n                                     Figure 1: E-Services Products\n    Disclosure        Eligible tax professionals may complete authorization forms, view and modify existing forms,\n    Authorization     and receive acknowledgement of accepted submissions of tax returns immediately\xe2\x80\x94all\n                      online. Disclosure Authorization allows tax professionals to electronically submit a power of\n                      attorney and Form 2848, Power of Attorney and Declaration of Representative, and\n                      Form 8821, Tax Information Authorization. This service expedites processing and issues a\n                      real-time acknowledgment of accepted submissions.\n    E-File            Applicants can complete the IRS e-file Application using the Internet. Applicants can start\n    Application       the process and save applications in progress so that modifications to a firm's application\n                      can be made quickly and easily without restarting the process. Users can check the status\n                      of the application as the IRS makes updates to the suitability check. Users can also easily\n                      adapt their application to the changes in their businesses. The application allows\n                      management of all Authorized IRS e-file Provider1 information in one place and it more\n                      easily updates the information when changes occur.\n    Electronic        Electronic Account Resolution allows tax professionals to expedite closure on clients\xe2\x80\x99\n    Account           account problems by electronically sending/receiving account-related inquiries. Tax\n    Resolution        professionals may inquire about individual or business account problems, refunds,\n                      installment agreements, missing payments, or notices. Tax professionals must have a\n                      power of attorney on file before accessing a client\xe2\x80\x99s account. The IRS delivers its\n                      response to a secure electronic mailbox within three business days.\n\n\n\n\n1\n  E-file Providers are businesses and organizations that facilitate e-filing and can be an Electronic Return Originator,\nIntermediate Service Provider, Transmitter, or software developer. Electronic Return Originators originate the\nelectronic submission of income tax returns to the IRS. An Electronic Return Originator electronically submits\nincome tax returns that are either prepared by the Electronic Return Originator firm or received from a taxpayer.\nIntermediate Service Providers receive tax information, process it, and return it to an Electronic Return Originator,\nor forward it to a transmitter. Transmitters, once the return is prepared, send the income tax return data to the IRS.\nSoftware developers write the e-file programs according to IRS file specifications and record layouts, making IRS\ne-file and Federal/State e-file possible.\n                                                                                                                Page 1\n\x0c                                         Insufficient E-Services Controls May\n                                          Put Taxpayer Information at Risk\n\n\n\n    Taxpayer          A prefiling service offered to payers and/or authorized agents who submit any of six\n    Identification    information returns subject to backup withholding. With Interactive Taxpayer Identification\n    Number            Number Matching, authorized payers can match up to 25 payee Taxpayer Identification\n    Matching          Number and name combinations against IRS records prior to submitting an information\n                      return. Bulk Taxpayer Identification Number Matching allows payers and/or authorized\n                      agents filing any of the six information returns to match up to 100,000 Taxpayer\n                      Identification Number and name combinations.\n    Transcript        Eligible tax professionals may use the Transcript Delivery System to request and receive tax\n    Delivery          account transcripts,2 wage and income documents, tax return transcripts, and verification of\n    System            nonfiling letters for both individual and business taxpayers. Tax professionals must have a\n                      power of attorney authorization on file with the IRS before accessing a client's account (or\n                      use Disclosure Authorization to file an authorization on a new client and obtain Transcript\n                      Delivery System information immediately).\nSource: IRS.gov.\n\nOnly approved IRS business partners are eligible to participate in e-Services. When applying for\naccess, applicants provide information the IRS can verify using existing taxpayer records. The\napplicant\xe2\x80\x99s professional status determines the type of documentation that he or she must submit.\n      \xef\x82\xb7   Tax professionals with professional certifications, such as certified public accountants,\n          attorneys, and enrolled agents,3 do not have to meet e-file requirements4 and do not need\n          to submit fingerprint cards. The IRS allows these individuals to send a copy of their\n          certification in lieu of a fingerprint card.\n      \xef\x82\xb7   Most other tax professionals without professional certifications must meet e-file\n          requirements and submit a fingerprint card, and they are subject to an IRS screening\n          process that may include criminal background or credit history checks.\nThis audit originated as the result of a referral from the Treasury Inspector General for Tax\nAdministration Office of Investigations. Investigators identified a potential control weakness\nthat allows tax return preparers with access to e-Services to electronically submit powers of\nattorney and obtain taxpayers\xe2\x80\x99 tax account records without taxpayer knowledge and/or\nauthorization. Disclosure Authorization and the Transcript Delivery System allow\ne-Services participants to electronically file a power of attorney and then immediately submit\nand obtain taxpayers\xe2\x80\x99 tax account information.\nBy law, the IRS can generally disclose taxpayers\xe2\x80\x99 tax information only to the taxpayer or the\ntaxpayer\xe2\x80\x99s designee or representative. Taxpayers can authorize one or more individuals to\n\n\n2\n  A tax account transcript provides basic information, including marital status, type of return filed, Adjusted Gross\nIncome (gross income minus adjustments to income), taxable income, and later adjustments, if any.\n3\n  These professionals pass an IRS examination or present evidence of qualifying experience as a former IRS\nemployee and have been issued an enrollment card.\n4\n  The e-file requirement is for tax professionals to electronically file five or more accepted individual and/or\nbusiness returns.\n                                                                                                               Page 2\n\x0c                                          Insufficient E-Services Controls May\n                                           Put Taxpayer Information at Risk\n\n\n\nrepresent them on tax-related issues and can authorize a designee or representative to receive\nconfidential tax information. The IRS provides specific forms taxpayers and tax professionals\ncan use for each situation.\n       \xef\x82\xb7   Form 2848, Power of Attorney and Declaration of Representative \xe2\x80\x93 Taxpayers can use\n           this form to authorize an individual or individuals to represent them before the IRS. It\n           authorizes the listed representative(s)5 to receive and inspect confidential tax information\n           and to perform all acts (that is, sign agreements, consents, waivers, or other documents)\n           that taxpayers can perform with respect to matters described in the power of attorney.\n           Form 2848 specifically states the IRS will not honor Form 2848 for any purpose other\n           than representation before the IRS. In addition, when the IRS accepts the Form 2848, it\n           supersedes any existing powers of attorney for the tax periods specified unless the\n           taxpayer or tax professional indicates otherwise on the form and provides a copy of the\n           previous power of attorney that needs to remain in effect.\n       \xef\x82\xb7   Form 8821, Tax Information Authorization \xe2\x80\x93 Taxpayers can use this form to authorize\n           an individual or organization to receive or inspect confidential tax return information. By\n           completing this form, the taxpayer does not authorize an individual or organization to\n           represent him or her before the IRS.\n       \xef\x82\xb7   Form 4506-T, Request for Transcript of Tax Return \xe2\x80\x93 Taxpayers can use this form if\n           they want to authorize an individual or organization to receive or inspect transcripts of\n           confidential tax return information, but do not want to authorize the individual to\n           represent them before the IRS. Taxpayers often use this form to authorize third parties to\n           verify their compliance with Federal income tax requirements.\nTax professionals can use Disclosure Authorization only to submit Forms 2848 and 8821. They\ncannot use it to submit a Form 4506-T.\nSince Fiscal Year 2004, e-Services users have submitted more than 899,000 Forms 2848 to the\nIRS via Disclosure Authorization and almost 16.9 million transcript requests from tax\nprofessionals using the Transcript Delivery System. Figure 2 shows the steady increase in the\nnumber of e-Services users, Forms 2848 filed electronically, and transcript requests.\n\n\n\n\n5\n    Appendix VI provides a copy of Form 2848. Part II of Form 2848 includes a list of representatives.\n                                                                                                         Page 3\n\x0c                                          Insufficient E-Services Controls May\n                                           Put Taxpayer Information at Risk\n\n\n\n        Figure 2: Increases in Usage of E-Services, Disclosure Authorization,\n             and the Transcript Delivery System Since Fiscal Year 2004\n\n                                                                      30.00%\n\n\n\n\n                                                                               Percentage\xc2\xa0of\xc2\xa0Total\xc2\xa0Use\xc2\xa0Since\xc2\xa02004\n                                                                      25.00%\n\n                                                                      20.00%\n\n                                                                      15.00%                                        Forms\xc2\xa02848\xc2\xa0Submitted\n                                                                                                                    Transcript\xc2\xa0Requests\n                                                                      10.00%\n                                                                                                                    e\xe2\x80\x90Services\xc2\xa0Registrations\n                                                                      5.00%\n\n                                                                      0.00%\n     2004     2005     2006     2007      2008   2009   2010   2011\n                                  Fiscal\xc2\xa0Year\n\nSource: e-Services Statistical Reports.\n\nThis review was performed at the Wage and Investment Division Headquarters in\nAtlanta, Georgia, during the period November 2011 through April 2012. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                                                                    Page 4\n\x0c                                        Insufficient E-Services Controls May\n                                         Put Taxpayer Information at Risk\n\n\n\n\n                                       Results of Review\n\nControls Over E-Services Are Insufficient to Prevent or Detect\nUnauthorized Disclosure of Taxpayer Information\nDuring Calendar Year 2011, tax professionals submitted more than 2.5 million transcript\nrequests through e-Services. A statistical sample of 600 of the 2.5 million transcripts showed\nthat controls are sufficient to ensure that tax professionals who request taxpayers\xe2\x80\x99 tax return\ninformation file a power of attorney with the IRS before it disclosed taxpayer information to\nthem. However controls are insufficient to ensure that:\n    \xef\x82\xb7    Tax professionals obtain a signed Form 2848 before submitting it via e-Services\n         Disclosure Authorization. The IRS\xe2\x80\x99s Disclosure Authorization guidelines and online\n         tutorial requires that tax professionals obtain the taxpayer\xe2\x80\x99s signature on a paper\n         Form 2848 before submitting an electronic request through Disclosure Authorization.\n    \xef\x82\xb7    Tax professionals use Form 2848 only for its intended purpose(s). Taxpayers should\n         use Form 2848 only to authorize a tax professional to represent them. Taxpayers should\n         use Form 4506-T when they want an individual or organization to receive their tax return\n         information.\n    \xef\x82\xb7    Only tax professionals who can file a Form 2848 electronically have access to\n         Disclosure Authorization. This generally includes tax professionals who qualify as\n         attorneys, certified public accountants, or enrolled agents. Unenrolled tax return\n         preparers and registered tax return preparers6 must submit a Form 2848 on paper.\nDuring a two-month period between October 1 and November 30, 2011, tax professionals\nelectronically submitted 153,224 Forms 2848 and subsequently requested at least one transcript\nfor the period covered on those forms. We randomly selected 750 of the 153,224 Forms 2848\nand sent 747 confirmation letters to the taxpayers for whom they were submitted.7 We asked\nthem to confirm that (1) they gave the tax professional listed on the Form 2848 permission to\nreceive tax information about them for the specific tax year listed and (2) they signed a\nForm 2848 before the tax professional submitted it.\n\n\n6\n  Prior to 2010, the IRS did not regulate tax return preparers. All paid tax return preparers who do not have a\nprofessional certification must register with the IRS and pass a competency test before January 1, 2014, to prepare\nand file tax returns. Once they pass the competency test, they become registered tax return preparers. Unenrolled\ntax return preparers are those who currently are paid preparers but who are not an attorney, certified public\naccountant, lawyer, enrolled agent, or registered tax return preparer.\n7\n  We were unable to locate addresses for three taxpayers.\n                                                                                                             Page 5\n\x0c                                        Insufficient E-Services Controls May\n                                         Put Taxpayer Information at Risk\n\n\n\nOf the 373 responses (50 percent response rate) received from taxpayers:\n     \xef\x82\xb7   3 (0.8 percent) of the 373 taxpayers responded that they had given permission to the tax\n         professional to receive information but had not signed a Form 2848.\n     \xef\x82\xb7   12 (3.2 percent) of the 373 had signed a Form 2848 but responded that they had signed it\n         after the tax professional electronically submitted it to the IRS.\n     \xef\x82\xb7   16 (4.3 percent) of the 373 taxpayers responded that they had not given permission to the\n         tax professional to receive tax information about them or signed a Form 2848.\nFigure 3 shows these results projected to the population.8\n                Figure 3: Analysis of Responses Received From Taxpayers\n                                                         Sample\n                                                                                            Projections for\n                                                        of Forms       Percentage\n                                                                                              Population\n                                                          2848\n    Gave Permission Without Signing Form 2848                3             0.8%                 254-3,570\n    Signed Form 2848 After Submitted to\n                                                            12             3.2%                2,559-8,504\n    Disclosure Authorization\n    Did Not Give Permission                                 16             4.3%               3,785-10,542\n\n    No Issues                                               342           91.7%             136,197-144,783\n\n    Totals                                                  373            100%                  153,224\n\n\n\n      Source: Our analysis of taxpayers\xe2\x80\x99 responses to our confirmation letters.\n\nWe also sent letters to the 560 tax professionals who electronically submitted 736 of the\n750 Forms 2848 and requested hardcopies of the signed Forms 2848.9 Before tax professionals\nsubmit an electronic power of attorney request through e-Services, they are required to obtain a\nsignature from the taxpayer on a Form 2848 and retain it. They are also required to provide the\nIRS a copy of the Form 2848 upon request. We received responses from tax professionals for\n\n\n\n\n8\n  A sample size of 373 responses from taxpayers and error rates of 0.8 percent, 3.2 percent, and 4.3 percent allowed\nus to project our results to the total population of 153,224 Forms 2848 at a 95 percent confidence level with standard\nerrors of 0.46 percent, 0.91 percent, and 1.05 percent, respectively. A point projection of 91.7 percent for instances\nin which there were no issues allowed us to project our results at a 95 percent confidence level with a precision rate\nof \xc2\xb12.8 percent.\n9\n  We were unable to mail requests for 14 of the 750 Forms 2848.\n                                                                                                              Page 6\n\x0c                                        Insufficient E-Services Controls May\n                                         Put Taxpayer Information at Risk\n\n\n\n625 (85 percent) of the 736 Forms 2848. Figure 4 shows the results of the confirmation letters\nsent to tax professionals, projected to the population.10\n          Figure 4: Analysis of Responses Received From Tax Professionals\n\n\n                                                                                                    Projections for\n                                          Sample of Forms 2848               Percentage\n                                                                                                      Population\n\nNo Copy Provided With Response\n                                                     154                        20.9%               27,565-36,555\nor Incorrect Copy Provided\n\nNo response to Request                                91                        12.4%               15,307-22,582\n\nTotal Documents Not Provided or\n                                                     245                        33.3%               45,798-56,213\nIncorrect\n\nNo Issues                                            471                        64.0%               92,571-103,359\n\nPost Office Returned As\n                                                      20                         2.7%                 2,367-5,960\nUndeliverable\n\nTotals                                               736                         100%                   153,224\n\n\n\n     Source: Our analysis of tax professionals\xe2\x80\x99 responses to our request for documentation.\n\nA copy was incorrect if it did not contain evidence of the taxpayer approving submission of a\npower of attorney before the tax professional submitted it on Disclosure Authorization. For\nexample, we considered a copy to be incorrect if it did not have a taxpayer signature with a date\non or before the date the tax professional submitted the power of attorney electronically or if\nthere was not a taxpayer signature at all.\nThe IRS risks unauthorized disclosures of taxpayer information when tax professionals obtain\naccess to taxpayer data without a signed Form 2848. When tax professionals use Form 2848 for\npurposes other than for what it is intended, they are circumventing IRS controls in place to\nprotect taxpayer information. When tax professionals are able to circumvent Disclosure\nAuthorization controls that prevent them from filing powers of attorney electronically, they may\nbe obtaining powers of attorney for taxpayers they have no right to represent.\n\n10\n   A sample size of 736 requests to tax professionals and error rates of 20.9 percent, 12.4 percent, and 33.3 percent\nallowed us to project our results to the total population of 153,224 Forms 2848 at a 95 percent confidence level with\nprecision rates of \xc2\xb12.9 percent, \xc2\xb12.4 percent, and \xc2\xb13.4 percent, respectively. A point projection of 64 percent for\ninstances in which there were no issues allowed us to project our results at a 95 percent confidence level with a\nprecision rate of \xc2\xb13.5 percent. For the 20 requests that were undeliverable, a 2.7 percent point projection allowed us\nto project our results at a 95 percent confidence level with a precision rate of \xc2\xb11.2 percent.\n                                                                                                              Page 7\n\x0c                                        Insufficient E-Services Controls May\n                                         Put Taxpayer Information at Risk\n\n\n\n*****************************************2(f)**************************************************\n*************2(f)************\nAlthough the IRS requires tax professionals to obtain a signed copy of a Form 2848 before they\nsubmit a power of attorney through Disclosure Authorization,******************2(f)*****\n*********************2(f)**************. In fact, many tax professionals may be unaware\nof requirements to maintain a hardcopy Form 2848.\nAfter receiving our confirmation letters, five tax professionals called us and stated they were not\naware of requirements to maintain a signed Form 2848. Two tax professionals stated they had\ncalled the e-Help desk11 for clarification, and assistors advised them there was not a requirement\nto maintain the signed Form 2848.\nOn January 27, 2012, we advised the IRS of the situation. The IRS took immediate action;\ntherefore, we are not making any further recommendations at this time. The IRS responded that\nit would remind assistors of and reinforce the requirement for tax professionals to maintain a\nsigned Form 2848 when they submit powers of attorney through Disclosure Authorization by:\n     \xef\x82\xb7   Reinforcing the requirement during assistors\xe2\x80\x99 team meetings and issuing an e-Help\n         Communication to assistors.\n     \xef\x82\xb7   Adding a reminder of the requirement to the existing e-Help assistor solutions document.\n     \xef\x82\xb7   Updating the Internal Revenue Manual.\nTax professionals are not required to send the IRS the original or a copy of the Forms 2848 they\nuse to electronically submit a power of attorney through Disclosure Authorization. Additionally,\nthe IRS *********************************2(f)********************************\n****************************************2(f)***********************************\n***********************2(f)***********************. The IRS does conduct compliance\nreviews of tax return preparers, *****************2(f)****************************.\nThese controls come with costs. Requiring tax professionals to mail or fax signed Forms 2848\nhas limitations and would be costly. **********************2(f)*******************\n******************************************2(f)*********************************\n******************************************2(f)*********************************\n******************************************2(f)********************************\n********2(f)****************. This effort could also be part of the IRS\xe2\x80\x99s annual filing\nseason visitations to return preparers to heighten awareness of preparer responsibilities.\n**************************************2(f)************************************\n**************************************2(f)**********************************\n****************2(f)************.\n\n11\n  The e-Help desk assists e-Services users with questions and issues concerning e-products that are not account\nrelated.\n                                                                                                            Page 8\n\x0c                                      Insufficient E-Services Controls May\n                                       Put Taxpayer Information at Risk\n\n\n\nE-Services Disclosure Authorization and Transcript Delivery System are being\nused for other than their intended purposes\nTax professionals are using e-Services to circumvent standard IRS procedures and controls by\nsubmitting Form 2848 for the sole purpose of ordering and providing transcripts for taxpayers.\nThis allows them to obtain an account transcript for taxpayers within minutes. Form 2848 states\nthat the IRS will not honor it for any purpose other than representing a taxpayer before the IRS.\nFigure 5 provides an excerpt from Form 2848.\n                                Figure 5: Excerpt From Form 2848\n\n\n\n\n     Source: IRS Form 2848.\n\nCommercial Internet websites offer to provide taxpayers, for a fee, tax account information. To\nobtain taxpayers\xe2\x80\x99 tax return information, taxpayers are asked to provide the information needed\nto submit a Form 2848 through Disclosure Authorization. After submitting the power of\nattorney via Disclosure Authorization, tax professionals can immediately obtain tax account\ntranscripts through e-Services Transcript Delivery System. We identified websites that charged\ntaxpayers as much as $39.95 or more for this service.\nThe IRS has established procedures and controls to safeguard a taxpayer\xe2\x80\x99s Personally\nIdentifiable Information, which includes the information contained on a tax account transcript.\n                                                 When taxpayers want to obtain their tax account\n  Personally Identifiable Information            transcripts, they can obtain their own records for\n  includes an individual\xe2\x80\x99s:\n                                                 free by:\n \xef\x82\xb7     Name.\n \xef\x82\xb7     Address.                                      \xef\x82\xb7   Using the IRS Automated Self-Help\n \xef\x82\xb7     E-mail Address.                                   Service Tools on the IRS\xe2\x80\x99s public\n \xef\x82\xb7     Social Security Number.                           Internet site, IRS.gov.\n \xef\x82\xb7     Telephone Number.\n \xef\x82\xb7     Bank Account Number.                          \xef\x82\xb7   Calling an IRS toll-free telephone line.\n \xef\x82\xb7     Date and Place of Birth.\n \xef\x82\xb7     Mother\xe2\x80\x99s Maiden Name.                         \xef\x82\xb7   Using an app on a mobile device.\n \xef\x82\xb7     Biometric Data (e.g., height, weight, eye\n       color, finger prints).                        \xef\x82\xb7   Visiting a local IRS office or sending a\n                                                         request to the IRS.\n\n\n\n                                                                                             Page 9\n\x0c                                  Insufficient E-Services Controls May\n                                   Put Taxpayer Information at Risk\n\n\n\nIn most cases, the taxpayer would receive the account transcript in approximately two weeks.\nHowever, taxpayers can obtain an account transcript the same day they visit a local IRS office.\nRegardless of the method used to obtain a transcript, taxpayers must authenticate themselves. If\nordering online or via an app on a mobile device, the IRS will mail the tax return information\nonly to the taxpayer\xe2\x80\x99s address of record. Therefore, individuals other than the taxpayer who may\nhave the taxpayer\xe2\x80\x99s information will not be able to have a transcript sent to them.\n***********************************2(f)************************************\n***********************************2(f)****************************************\n****2(f)*****. In addition, taxpayers could be unaware the tax professional is first submitting a\npower of attorney to the IRS, which:\n   \xef\x82\xb7   Allows a tax professional complete access to a taxpayer\xe2\x80\x99s tax records. A power of\n       attorney authorizes the listed representative to receive and inspect confidential tax\n       information and to perform all acts that taxpayers can perform with respect to matters\n       described in the power of attorney.\n   \xef\x82\xb7   Supersedes any existing powers of attorney on file with the IRS for the specified tax\n       year(s). By doing so, tax professionals whom the taxpayer has legitimately authorized to\n       represent them will no longer be able to do so.\nThe IRS is not conducting trending or data analysis that would identify the tax professionals\nengaged in this practice. However, it maintains records of every power of attorney submitted via\nDisclosure Authorization and every transcript request made via the Transcript Delivery System.\nThe IRS could use these records to identify tax professionals who may be misusing Form 2848 to\norder account transcripts.\nThe IRS must be able to assure taxpayers it is protecting their confidential tax return information.\nIt should have sufficient internal controls that detect potential misuse of its systems that disclose\ntaxpayer information to third parties, including controls to identify transactions that may not\nmeet its policies and procedures.\nTaxpayers who do not wish to obtain their own tax return information can allow third parties to\nobtain them by completing a Form 4506-T\nForm 4506-T allows taxpayers to give interested third parties the authority to obtain their\nconfidential tax return information without giving them a power of attorney. Taxpayers may\ncomplete a Form 4506-T and either send it to the IRS or have the third party send it to the IRS.\nAdditionally, the IRS offers the Income Verification Express Services Program, in which third\nparties can verify income information on behalf of a taxpayer. For third parties to obtain\ntranscripts, taxpayers can complete and provide the third party with either a completed\nForm 4506-T or a Form 4506T-EZ, Short Form Request for Individual Tax Return Transcript.\nSee Figure 6 for an excerpt of Form 4506-T.\n\n                                                                                            Page 10\n\x0c                                     Insufficient E-Services Controls May\n                                      Put Taxpayer Information at Risk\n\n\n\n                               Figure 6: Excerpt From Form 4506-T\n\n\n\n\n          Source: IRS Form 4506-T.\n\nThe request must include the name, address, and telephone number of the third party to whom\nthe IRS should send the income information. Income Verification Express Service participants\npay $2.00 per request and FAX a Form 4506-T to the IRS. In turn, the IRS e-mails the requested\ninformation to the participant\xe2\x80\x99s secure e-Services mailbox.\n\nTax professionals who are not authorized are using Disclosure Authorization to\nfile powers of attorney\nThe IRS allows only certain tax professionals to access and use Disclosure Authorization. They\ninclude:\n      \xef\x82\xb7   Attorneys, certified public accountants, or enrolled agents who may represent taxpayers\n          in proceedings before the IRS.\n      \xef\x82\xb7   Electronic Return Originators who have e-filed five or more accepted returns.\nHowever, although they can access Disclosure Authorization, the IRS does not permit Electronic\nReturn Originators who are unenrolled tax return preparers or registered tax return preparers to\nsubmit powers of attorney electronically. The IRS requires that Forms 2848 be submitted on\npaper so that it can review the request to ensure unenrolled tax return preparers and registered tax\nreturn preparers meet the requirements to represent the taxpayer.\nTo circumvent this control and obtain immediate powers of attorney and transcripts, ***2(f)***\n******************************************2(f)********************************\n******************************************2(f)*******************************\n******************************************2(f)*******************************\n********************2(f)*********************.\n********************************2(f)**********************************:12\n      \xef\x82\xb7   1 (3.3 percent) *****************2(f)**********************.\n\n\n12\n     **********************************2(f)******************************************.\n                                                                                           Page 11\n\x0c                                   Insufficient E-Services Controls May\n                                    Put Taxpayer Information at Risk\n\n\n\n   \xef\x82\xb7   1 (3.3 percent) ******************2(f)********************.\n   \xef\x82\xb7   4 (13.3 percent) ******************2(f)**********************.\n   \xef\x82\xb7   5 (16.7 percent) ********************2(f)************************.\n   \xef\x82\xb7   18 (60 percent) ***********************2(f)******************************.\nThe IRS************************************2(f)*******************************\n*****************************2(f)*******************************.\nThe IRS originally granted e-Services access to tax return preparers who met e-file requirements\nas part of an incentive program to persuade tax return preparers to e-file their clients\xe2\x80\x99 tax returns.\nHowever, the IRS has not recently reviewed its policies for granting Disclosure Authorization\naccess to the various types of tax professionals to determine if they need access to e-Services\nonline tools. Specifically, it has not determined if unenrolled tax return preparers or registered\ntax return preparers who do not qualify as attorneys, certified public accountants, or enrolled\nagents should continue to have access to e-Services online tools. ***********2(f)*******\n***************************************2(f)**********************************\n***************************************2(f)***********************************.\nIf the IRS decides not to change its access policies for unenrolled and registered tax return\npreparers, *********************************2(f)******************************\n*****************************************2(f)********************************\n*****************2(f)***********************.\n\nRecommendations\nThe Commissioner, Wage and Investment Division, should:\nRecommendation 1: Identify tax professionals using Disclosure Authorization for purposes\nother than its intended purposes. This will allow the IRS to take appropriate corrective actions,\nsuch as deactivating access to Disclosure Authorization, for tax professionals who present a risk.\nThe IRS may identify tax professionals who submit unusually large volumes of Forms 2848,\nespecially if they are not preparing tax returns, and determine if they used the powers of attorney\nto circumvent the IRS\xe2\x80\x99s process for requesting transcripts.\n       Management\xe2\x80\x99s Response: IRS management did not agree tax professionals are\n       improperly using Disclosure Authorization by requesting transcripts. The instructions to\n       the Form 2848 state that authorization of an eligible representative will allow that\n       individual to receive and inspect confidential tax information.\n       Office of Audit Comment: IRS management did not agree tax professionals are\n       improperly using Disclosure Authorization by requesting transcripts; however, that is not\n       the basis of our conclusion or recommendation. Tax professionals are using Disclosure\n\n                                                                                              Page 12\n\x0c                                 Insufficient E-Services Controls May\n                                  Put Taxpayer Information at Risk\n\n\n\n       Authorization to obtain a power of attorney for the sole purpose of obtaining a tax\n       transcript. As stated at the top of Form 2848, the purpose of a power of attorney is to\n       designate a person or persons to represent a taxpayer before the IRS. The IRS states it\n       will not honor the power of attorney if it is submitted for any other purpose. While a\n       representative may need to obtain tax transcripts when representing a taxpayer, a\n       representative should not obtain a power of attorney for the sole purpose of obtaining tax\n       transcripts without intending to represent the taxpayer before the IRS. The IRS already\n       has a process in place that allows a taxpayer to authorize tax professionals to obtain tax\n       transcripts without the same potential for circumventing privacy controls, giving tax\n       professionals additional powers, or unintentionally superseding any existing powers of\n       attorney.\nRecommendation 2: **********2(f)**************** to verify that tax professionals are\nobtaining and retaining a signed power of attorney before submitting one through Disclosure\nAuthorization. *******************************2(f)****************************\n****************************************2(f)******************************.\n       Management\xe2\x80\x99s Response: IRS management agreed that some tax professionals may\n       be unaware of the requirements to obtain and maintain a hard copy of the signed\n       Form 2848. The IRS will take actions to better educate Disclosure Authorization users of\n       the requirement to obtain a signed Form 2848 prior to its electronic submission and to\n       maintain the signed copy in the authorized representative\xe2\x80\x99s files.\n       Office of Audit Comment: IRS management did not agree to develop a confirmation\n       program. While taking actions to better educate Disclosure Authorization users of the\n       requirements to obtain and maintain signed Forms 2848 prior to electronic submissions\n       will address the issue, management will not be able to measure the effectiveness of these\n       steps or ensure continuing compliance with them without developing a confirmation\n       program to verify that tax professionals are complying with the requirements.\nRecommendation 3: Reassess the policy for granting Disclosure Authorization access to\nunenrolled tax return preparers and registered tax return preparers. If the IRS decides not to\ngrant them access to online tools, the IRS should ensure they no longer have access to Disclosure\nAuthorization. If the IRS decides to continue granting access to unenrolled tax return preparers\nand registered tax return preparers, it should ********************2(f)***************\n****************************************2(f)*********************************\n****************************************2(f)*************************.\n       Management\xe2\x80\x99s Response: *********************2(f)**********************\n       *****************************************2(f)**************************\n       ****************************************2(f)*****************************\n       ********2(f)********. The IRS will reassess the current policy regarding access to\n\n\n                                                                                          Page 13\n\x0c                                     Insufficient E-Services Controls May\n                                      Put Taxpayer Information at Risk\n\n\n\n           Disclosure Authorization and the Transcript Delivery System for unenrolled and\n           registered return preparers and will take appropriate follow-up action.\n\nInternal Revenue Service Employees Have Access to E-Services\nIRS employees have access to e-Services online tools, but are prohibited from participating in\ntax preparation activities.13 The IRS should not allow IRS employees to have access to\nDisclosure Authorization and the Transcript Delivery System without managerial authorization\nand a business need.\nThe IRS should also take steps to ensure its new employees who previously worked as tax\nprofessionals do not have access to e-Services. Employees could use their access capabilities to\nmake unauthorized accesses of taxpayer information. Although the IRS electronically captures\nall Disclosure Authorization and Transcript Delivery System transactions by these employees,\njust as it does for all users, it does not have controls in place to monitor these transactions for\nunauthorized accesses of taxpayer information, and the system does not allow for comparisons to\nexisting employee records.\n\nRecommendation\nRecommendation 4: The Commissioner, Wage and Investment Division, should ensure IRS\nemployees do not have unauthorized access to e-Services online tools by periodically matching\nIRS personnel information to a listing of e-Services users. The IRS should revoke the e-Services\naccess of employees not authorized to have it and monitor the transactions of employees who are\nauthorized access.\n           Management\xe2\x80\x99s Response: IRS management agreed that IRS employees should not\n           have access to e-Services without a legitimate business need. The IRS requested the list\n           of employees and the methodology used during the audit to determine if employees may\n           have unauthorized e-Services access through the Registered User Portal. Once the IRS\n           has received the information, it will further investigate and deactivate any accounts found\n           to have unauthorized access.\n\n\n\n\n13\n     5 C.F.R. \xc2\xa7 3101.106.\n                                                                                              Page 14\n\x0c                                       Insufficient E-Services Controls May\n                                        Put Taxpayer Information at Risk\n\n\n\n                                                                                                 Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nOur overall objective was to determine if controls over e-Services are sufficient to prevent\nunauthorized access to taxpayer information. This included evaluating and assessing the internal\ncontrols of the e-Services Program and its online tools, including controls that prevent tax\npractitioners and other users from improperly obtaining access to taxpayer information by\nelectronically filing fraudulent power of attorney and/or transcript requests. To accomplish this\nobjective, we:\nI.      Determined if IRS policies and internal controls for providing tax professionals access to\n        e-Services online tools limits the potential for fraud and unauthorized disclosures.\n        A. Determined if the current policies and rules for granting tax professionals access to\n           e-Services online tools minimize the risks of granting access to users who wish to\n           commit fraud.\n        B. Identified and evaluated the internal controls that ensure e-Services users with access\n           to the online tools are qualified to receive it.\nII.     Determined if the controls for processing transcript requests submitted via the Transcript\n        Delivery System effectively detect and prevent unauthorized disclosures of taxpayer\n        information.\n        A. Selected two statistically random samples, each with 300 third-party transcript\n           requests, from the 2.5 million third-party transcript requests submitted via the\n           Transcript Delivery System during Calendar Year 2011 for which the IRS provided\n           the user with the requested information.\n             \xef\x82\xb7   The first sample included third-party transcript requests for which the Transcript\n                 Delivery System indicated that the Centralized Authorization File1 was checked\n                 before completing the request.\n             \xef\x82\xb7   The second sample included third-party transcript requests for which the\n                 Transcript Delivery System indicated that the Centralized Authorization File was\n                 not checked before completing the request.\n             We based our sampling plans on a confidence level of 95 percent, expected error rates\n             of 1 and 2 percent, and a precision of \xc2\xb12 percent, resulting in minimum sample sizes\n\n1\n  The Centralized Authorization File is a computerized system of records which houses authorization information\nfrom both powers of attorney and tax information authorizations.\n                                                                                                         Page 15\n\x0c                                         Insufficient E-Services Controls May\n                                          Put Taxpayer Information at Risk\n\n\n\n               of 95 and 188. We oversampled to 300 in each category to account for any\n               unforeseen circumstances. We compared the samples to the Centralized\n               Authorization File to determine if it contained a corresponding power of attorney for\n               the specific tax period disclosed to the tax professional.\n           B. Determined if the IRS performs any electronic detection testing to identify improper\n              disclosures.\nIII.       Determined if the controls for processing Forms 2848, Power of Attorney and\n           Declaration of Representative, submitted through Disclosure Authority effectively detect\n           and prevent unauthorized disclosures by selecting a statistically valid sample of\n           750 Forms 2848 from the 153,224 Forms 2848 submitted by tax professionals in October\n           and November 2011. We based our sampling plan on a confidence level of 95 percent,\n           an expected error rate of 15 percent, and a precision of \xc2\xb15 percent, resulting in a\n           minimum sample size of 196. Expecting an approximate 30 percent response rate from\n           taxpayers, we oversampled to 750 Forms 2848. To determine if tax professionals had\n           received approval from taxpayers to request transcripts before ordering them, we:\n           A. Mailed letters to the 560 tax professionals who submitted 736 of the 750 Forms 2848\n              and asked them to send us paper copies of the Forms 2848 submitted.2\n           B. Mailed 747 letters to the taxpayers named on the 750 Forms 2848.3 We asked the\n              taxpayers to confirm that they gave the tax professional permission to file a power of\n              attorney and that they signed a Form 2848.\nIV.        Determined if tax professionals not authorized to submit Forms 2848 using Disclosure\n           Authorization actually submitted them using it.\n           A. Analyzed the IRS preparer file to identify those preparers who were not certified\n              public accountants, attorneys, or enrolled agents and compared them to those who had\n              submitted Forms 2848 using Disclosure Authorization during October or\n              November 2011.\n           B. *******************************2(f)*******************************\n              *******************************2(f)********************************\n              *******************************2(f)*********************************\n              *******************************2(f)***********************************\n              *******************************2(f)***********************************\n              *******************************2(f)***********.\nV.         We obtained Disclosure Authorization and Transcript Delivery System data processed\n           from e-Services online tools and stored on the Data Center Warehouse. We evaluated the\n\n2\n    We were unable to mail requests for 14 of the 750 Forms 2848.\n3\n    We were unable to locate addresses for three taxpayers.\n                                                                                             Page 16\n\x0c                                       Insufficient E-Services Controls May\n                                        Put Taxpayer Information at Risk\n\n\n\n        expected importance of the data and the anticipated level of risk in relying on the\n        computer-generated data obtained from Forms 2848 filed by tax professionals. We also\n        analyzed the dates of transactions to determine there was not missing data. In addition,\n        we compared these data to information on the Integrated Data Retrieval System4 and\n        determined the validity of the data. Our analysis determined the data were sufficiently\n        reliable for our audit purposes.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the IRS\xe2\x80\x99s policies, procedures, and\npractices for preventing unauthorized access to taxpayer information. We evaluated these\ncontrols by interviewing management, reviewing the Internal Revenue Manual, reviewing the\nIRS\xe2\x80\x99s efforts to monitor e-Services online tools, and conducting a confirmation program to\nidentify powers of attorney submitted by tax professionals with taxpayer permission.\n\n\n\n\n4\n  IRS computer system capable of retrieving or updating stored information. It works in conjunction with a\ntaxpayer\xe2\x80\x99s account records.\n                                                                                                             Page 17\n\x0c                                Insufficient E-Services Controls May\n                                 Put Taxpayer Information at Risk\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAugusta R. Cook, Acting Assistant Inspector General for Audit (Returns Processing and Account\nServices)\nPaula W. Johnson, Acting Director\nWilma Figueroa, Audit Manager\nKenneth Carlson, Acting Audit Manager\nPam DeSimone, Senior Auditor\nLynn Faulkner, Senior Auditor\nJack Forbus, Senior Auditor\nGeraldine Vaughn, Senior Auditor\nNelva Usher, Auditor\nJames Avery, Chief, Modernized UNAX Development\nValerie Livingood, Information Technology Specialist\nJoseph L. Katz, Ph.D., Contractor, Statistical Sampling Consultant\n\n\n\n\n                                                                                     Page 18\n\x0c                              Insufficient E-Services Controls May\n                               Put Taxpayer Information at Risk\n\n\n\n                                                                          Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Services and Enforcement SE\nDeputy Commissioner for Services and Operations, Wage and Investment Division SE:W\nDirector, Office of Online Services SE:OLS\nDirector, Office of Professional Responsibility SE:OPR\nDirector, Return Preparer Office SE:RPO\nDirector, Customer Account Services, Wage and Investment Division SE:W:CAS\nDirector, Strategy and Finance, Wage and Investment Division SE:W:S\nDirector, Accounts Management, Wage and Investment Division SE:W:CAS:AM\nDirector, Submission Processing, Wage and Investment Division SE:W:CAS:SP\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Chief, Program Evaluation and Improvement, Wage and Investment Division\nSE:W:S:PEI\n\n\n\n\n                                                                                  Page 19\n\x0c          Insufficient E-Services Controls May\n           Put Taxpayer Information at Risk\n\n\n\n                                                 Appendix IV\n\nConfirmation Letter Sent to Taxpayers\n\n\n\n\n                                                      Page 20\n\x0cInsufficient E-Services Controls May\n Put Taxpayer Information at Risk\n\n\n\n\n                                       Page 21\n\x0cInsufficient E-Services Controls May\n Put Taxpayer Information at Risk\n\n\n\n\n                                       Page 22\n\x0c              Insufficient E-Services Controls May\n               Put Taxpayer Information at Risk\n\n\n\n                                                     Appendix V\n\nConfirmation Letter Sent to Tax Professionals\n\n\n\n\n                                                          Page 23\n\x0cInsufficient E-Services Controls May\n Put Taxpayer Information at Risk\n\n\n\n\n                                       Page 24\n\x0c        Insufficient E-Services Controls May\n         Put Taxpayer Information at Risk\n\n\n\n                                               Appendix VI\n\n  Form 2848, Power of Attorney\nand Declaration of Representative\n\n\n\n\n                                                    Page 25\n\x0cInsufficient E-Services Controls May\n Put Taxpayer Information at Risk\n\n\n\n\n                                       Page 26\n\x0c            Insufficient E-Services Controls May\n             Put Taxpayer Information at Risk\n\n\n\n                                                   Appendix VII\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 27\n\x0cInsufficient E-Services Controls May\n Put Taxpayer Information at Risk\n\n\n\n\n                                       Page 28\n\x0c                                 Insufficient E-Services Controls May\n                                  Put Taxpayer Information at Risk\n\n\n\n                                                                                      Attachment\n\nThe Commissioner, Wage and Investment Division, should:\n\nRECOMMENDATION 1\nIdentify tax professionals using Disclosure Authorization for purposes other than its intended\npurposes. This will allow the IRS to take appropriate corrective actions, such as deactivating\naccess to Disclosure Authorization, for tax professionals who present a risk. The IRS may\nidentify tax professionals who submit unusually large volumes of Forms 2848, especially if they\nare not preparing tax returns, and determine if they used the powers of attorney to circumvent the\nIRS's process for requesting transcripts.\n\nCORRECTIVE ACTION\nWe do not agree with the conclusion that tax professionals are improperly using Disclosure\nAuthorization (DA) by requesting transcripts. The instructions to the Form 2848 state that\nauthorization of an eligible representative will allow that individual to receive an inspect\nconfidential tax information.\n\nIMPLEMENTATION DATE\nN/A\n\nRESPONSIBLE OFFICIAL\nN/A\n\nCORRECTIVE ACTION MONITORING PLAN\nN/A\n\nRECOMMENDATION 2\n********2(f)*******************to verify that tax professionals are obtaining and retaining a\nsigned power of attorney before submitting one through Disclosure Authorization.\n***2(f)******\n**********************************2(f)*****************************************\n*********************************2(f)***************************.\n\nCORRECTIVE ACTION\nWe agree that some tax professionals may be unaware of the requirement to obtain and maintain\na hard copy of the signed Form 2848. We will take actions to better educate users of DA of the\nrequirement to obtain a signed Form 2848 prior to its electronic submission and to maintain the\nsigned copy in the authorized representative's files.\n\nIMPLEMENTATION DATE\n\n                                                                                          Page 29\n\x0c                                 Insufficient E-Services Controls May\n                                  Put Taxpayer Information at Risk\n\n\n\nOctober 15, 2013\n\nRESPONSIBLE OFFICIAL\nDirector, Accounts Management, Wage and Investment Division\n\nCORRECTIVE ACTION MONITORING PLAN\nWe will monitor this corrective action as part of our internal management control system.\n\nRECOMMENDATION 3\nReassess the policy for granting Disclosure Authorization access to unenrolled tax return\npreparers and registered tax return preparers. If the IRS decides not to grant them access to\nonline tools, the IRS should ensure they no longer have access to Disclosure Authorization. If\nthe IRS decides to continue granting access to unenrolled tax return preparers and registered tax\nreturn preparers, it should\n************************************2(f)********************************\n*************************************2(f)*************************************\n********************************2(f)**************************.\n\nCORRECTIVE ACTION\n********************************************2(f)*******************************\n*******************************************2(f)********************************\n************************2(f)*******************. We will reassess the current policy\nregarding access to DA and TDS for unenrolled and registered return preparers, and will take\nappropriate follow up action.\n\nIMPLEMENTATION DATE\nOctober 15, 2013\n\nRESPONSIBLE OFFICIAL\nDirector, Accounts Management, Wage and Investment Division\n\nCORRECTIVE ACTION MONITORING PLAN\nWe will monitor this corrective action as part of our internal management control system.\n\nRECOMMENDATION 4\nThe Commissioner, Wage and Investment Division, should ensure IRS employees do not have\nunauthorized access to e-Services online tools by periodically matching IRS personnel\ninformation to a listing of e-Services users. The IRS should revoke the e- Services access of\nemployees not authorized to have it and monitor the transactions of employees who are\nauthorized access.\n\n\n                                                                                            Page 30\n\x0c                                 Insufficient E-Services Controls May\n                                  Put Taxpayer Information at Risk\n\n\n\nCORRECTIVE ACTION\nWe agree that IRS employees should not have access to e-Services without a legitimate business\nneed. We have established procedures through our Online 5081 application to document\nauthorization and to validate, regularly, employees' access to DA and TDS through the Employee\nUser Portal. We have requested the list of employees and the methodology used during the audit\nto determine if they may have unauthorized e-Services access through the Registered User\nPortal. Once we have received the information, we will further investigate and deactivate any\naccounts found to have unauthorized access.\n\nIMPLEMENTATION DATE\nOctober 15, 2012\n\nRESPONSIBLE OFFICIAL\nDirector, Accounts Management, Wage and Investment Division\n\nCORRECTIVE ACTION MONITORING PLAN\nWe will monitor this corrective action as part of our internal management control system.\n\n\n\n\n                                                                                            Page 31\n\x0c"